Your SlideShare is downloading. ×
0
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SE-PostgreSQL - System wide consistency of access control

782

Published on

slides on LinuxCon Japan 2010

slides on LinuxCon Japan 2010

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
782
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SE-PostgreSQLSystem-wide consistency of access control NEC OSS Promotion Center KaiGai Kohei <kaigai@ak.jp.nec.com>
  • 2. Self Introduction▐ Name KaiGai Kohei▐ Company NEC, OSS Promotion Center▐ Works 7 years experiences of OSS development » SELinux » PostgreSQL » Memcached » Apache (mod_selinux)▐ SE-PostgreSQL Project It enables to control accesses to database objects using a centralized security policy of SELinux. Launched at 2006, then Ive worked together both of SELinux and PostgreSQL community. Now, under development as a plugin for PostgreSQL v9.1. Page 2 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 3. Agenda1. The Goal of this project2. Architecture of SE-PostgreSQL3. Playing with SE-PostgreSQL (demonstration)4. Today, and the Future Page 3 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 4. 1. The Goal of this Project
  • 5. An analogy on Filesystem and Database info System Filesystem asset call Permission Filesystem OS (Linux) info Database asset SQL ACLs Database RDBMS (PostgreSQL) User Process Request Object manager and Resource▐ Same relationship on user processes, requests, object manager and information assets.▐ Differences in the way to store and access them System call for Filesystem SQL for Databases▐ Also differences in access control model. what does it make differences in the result? Page 5 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 6. The Goal of this project (1/2) Human user Human user Both of them tries to Both of them tries to reference classified reference classified information, But access information, But access controls are independent. controls are independent. Login Login bash bash vi Filesystem vi Networks psql psql classified unclassified information information X-window PostgreSQL domain of inter process domain of classified processes communication channels unclassified processes Page 6 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 7. Lack of conductor Page 7 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 8. The Goal of this project (2/2) Human user a centralized security server Human user Security Policy SELinux Login Access control Login bash bash vi Filesystem vi Networks psql psql classified unclassified information information X-window PostgreSQL domain of inter process domain of classified processes communication channels unclassified processes Page 8 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 9. OT: LAMP/SELinux Security Policy SELinux domain of domain of classified processes Access control unclassified processes classified unclassified information information Filesystem Networksweb application Memcached PostgreSQL web application mod_selinux.so Apache/httpd Page 9 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 10. SELinux as a Security Server (1/3)▐ Interactions with object managers Kernel subsystems do queries via LSM. Userspace applications do queries via libselinux. Both of them control users requests according to the decision.▐ Security context as a common identifier system_u:system_r:postgresql_t:s0 system_u:object_r:sepgsql_table_t:s0 A short formatted text, independent from object classes.▐ Security policy A massive set of access control rules. A rule describes a set of actions to be allowed on a pair of a security context of the subject (process being accessing) and a security context of the object being accessed. Page 10 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 11. SELinux as a Security Server (2/3)▐ Case of Linux Kernel staff_u:staff_r:staff_t:s0 user_u:user_r:user_t:s0 write(2) write(2) read(2) read(2) user process A Subject: user process B Subject: user_u:user_r:user_t:s0 user_u:user_r:user_t:s0 Applications Object: user_u:object_r:user_home_t:s0 Linux kernel Object: user_u:object_r:user_home_t:s0 Target class: file Target class: file VFS LSM Security Policy file:{getattr read write ...} file:{getattr read write ...} SELinux File X File Y system_u:object_r:etc_t:s0 user_u:object_r:user_home_t:s0 Page 11 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 12. SELinux as a Security Server (3/3)▐ Case of PostgreSQL staff_u:staff_r:staff_t:s0 user_u:user_r:user_t:s0 UPDATE UPDATE SELECT SELECT user process A Subject: user process B Subject: user_u:user_r:user_t:s0 user_u:user_r:user_t:s0 Applications PostgreSQL Object: user_u:object_r:user_table_t:s0 Linux kernel Object: user_u:object_r:user_table_t:s0 Target class: db_table Target class: db_table libselinux Query Executor SE-PgSQL Security Policy db_table:{select update ...} db_table:{select update ...} SELinux Table X Table Y user_u:object_r:user_table_t:s0system_u:object_r:sepgsql_ro_table_t:s0 Page 12 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 13. 2. Architecture of SE-PostgreSQL
  • 14. What was necessary to be enhanced SELECT * FROM 1. Security Hooks t1 WHERE x = 2; 2. Pg_seclabel system catalog 3. SQL statement support 4. An intermediator module DB Authentication SECURITY LABEL SECURITY LABEL statement support statement support libselinux Query Parser SE-PgSQL Security Policy Plugin Query Executor SELinux Pg_seclabel User Tables System Catalogs PostgreSQL Linux kernel Page 14 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 15. Idea of External Security Provider▐ Background Earlier version of SE-PostgreSQL was launched at 2006 Not an easy path to get merged, because of ... • A large scale patch, even if minimum functionalities • Few people are familiar with SELinux in PgSQL community • Being not neutral to other security mechanism▐ Idea of External Security Provider (ESP) Similar idea to LSM, XACE PG provides a set of security hooks which allow third party plugins to make its access control decision. • The patch can be broken up to smaller pieces. • SELinux specific code can be moved into the plugin modules. • Being open to the upcoming other security models The first version of ESP shall be bundled in v9.1. Page 15 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 16. Security Hooks (1/2) bool ExecCheckRTPerms(List *rangeTable, bool ereport_on_violation) { : if (ExecutorCheckPerms_hook) result = (*ExecutorCheckPerms_hook)(rangeTable, ereport_on_violation); return result; } bool sepgsql_relation_privileges(...) bool sepgsql_relation_privileges(...)▐ ExecCheckRTPerms() It is a routine to check permissions on DMSs List of RangeTblEntry contains all the necessary information. • OID of the relation to be referenced • A flag of required privileges (e.g, ACL_SELECT, ACL_UPDATE, ...) The ESP hook allows plugins to make its access control decision. If violated, it raises and returns an error according to the spec. Page 16 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 17. Security Hooks (2/2) staff_u:staff_r:staff_t:s0 getpeercon(3) getpeercon(3) SE-PgSQL IKE IKE Daemon Daemon user process Labeled IPsec connection PostgreSQL Authentication Hook▐ SELinux provides labeled IPsec and getpeercon(3) IKE daemon delivers security context of the user process getpeercon(3) allows to retrieve the delivered security context requires: kernel >= 2.6.18, ipsec-tools >= 0.7.2▐ (Post) Authentication hook It allows ESP plugins to get control post database authentication. SE-PgSQL retrieve security context of the peer process, as privileges of the client. Page 17 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 18. Pg_seclabel system catalogpostgres=# SELECT * FROM pg_catalog.pg_seclabel; reloid | objoid | subid | tag | label--------+--------+-------+---------+--------------------------------------- 1259 | 2619 | 0 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -7 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -6 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -5 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 : : : : : Pg_seclabel catalog reloid objoid subid label 1259 1234 0 system_u:object_r:sepgsql_table_t:s0 1259 5468 0 system_u:object_r:sepgsql_ro_table_t:s0 table X (OID = 1234) 1259 5468 4 system_u:object_r:sepgsql_ro_column_t:s0 1255 8901 0 system_u:object_r:sepgsql_proc_exec_t:s0 Pg_proc catalog table Y (OID = 5468) SQL function Z Pg_class catalog (OID = 8901) Page 18 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 19. SECURITY LABEL statement SECURITY LABEL [ FOR <provider> ] ON <objtype> <objname> IS <security label>▐ This new SQL syntax provides an interface to change security label of database objects.▐ ESP can validate the supplied label and check users privileges. postgres=# SECURITY LABEL ON TABLE t1 IS system_u:object_r:sepgsql_ro_table_t:s0; LOG: SELinux: allowed { setattr relabelfrom } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1 LOG: SELinux: allowed { relabelto } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_ro_table_t:s0 tclass=db_table name=t1 SECURITY LABEL Page 19 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 20. OT: Default security context on table creation▐ DefineRelation() also calls ESP plugin ... 1. to check permission of table creation 2. to get security context to be assigned on the new table▐ A table has its security context on its creation time, then user can relabel it using SECURITY LABEL statement.CREATE TABLE SQL Parser ① Permission checks ① Permission checks statement properties properties of new table ② Compute a default ② Compute a default of new table security context security context DefineRelation() ESP Hook plugin (sepgsql.so) User create Classified Table Classified Table New Table Page 20 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 21. As an intermediator between PgSQL and SELinux getpeercon(3) sbj: user_u:user_r:user_t:s0 sbj: user_u:user_r:user_t:s0 obj: system_u:object_r:sepgsql_table_t:s0 obj: system_u:object_r:sepgsql_table_t:s0 class: db_table class: db_table Pg_seclabel scontext libselinux tcontext policy invocations via hook query sepgsql.so decision selinux OID of table, OID of table, Query types,... Query types,... db_table:{ select update ... }} db_table:{ select update ...▐ sepgsql.so is the ESP plugin of SE-PostgreSQL▐ It interprets a term of PgSQL into a term of SELinux OID of the table security context of the table ACL_SELECT db_table:{select} permission▐ Then, it interprets SELinuxs decision into status of PgSQL. access denied ereport(ERROR, ...) Page 21 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 22. OT: Userspace access vector cache (avc)▐ security_compute_xxx() always invokes a system-call AVC enables to cache access control decisions recently used. Query Query avc_has_perms() Memory Memory reference reference validation check of Decision selinux_kernel_status Decision userspace cache mmap(2) still valid invalid reset avc cache /selinux/status lookup an avc entry from the cache /selinux/access In heuristic, In heuristic, not found Found the rate to hit /selinux/create the rate to hit make an avc entry overs 99.9% overs 99.9% System System call call check access permissions Security Policy validation check of SELinux still valid userspace cache invalid Page 22 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 23. 3. Playing with SE-PostgreSQL (demonstration)
  • 24. 4. Today and the Future
  • 25. Current status of SE-PostgreSQL▐ Under development based on the v9.1▐ Works in completion Security hook on DML permission checks▐ Works in progress Pg_seclabel and security label support Security hook on authentication Security hook on table creation we have discussion on the CommitFest-2nd▐ Source of the SE-PgSQL plugin http://code.google.com/p/sepgsql/ Page 25 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 26. Future works of SE-PostgreSQL▐ Comprehensive security hooks▐ Backup/Restore support▐ Trusted Procedure▐ Security label of user tuples▐ Row-level access control▐ Integration with system audit Page 26 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 27. Our Information Assets over the Cloud Web applications Memcached (selinux_engine) SE-PostgreSQL Linux(SELinux) Web server as system platform (Apache + mod_selinux)▐ Information assets getting consolidated at somewhere in the cloud We can reference them anywhere, anytime, and anybody?▐ Need to ensure both of data sharing and separation at the same time. System-wide consistency of access control on such a complex system Page 27 LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-
  • 28. Any Questions?
  • 29. Thank you!

×